Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hombre_fatal 2 days ago

I got an official email from Paypal last week saying that I had a charge for $900 at Kraken, and to call some number if it's suspicious.

What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.

The attack:

1. Register a paypal business account

2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"

3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.

4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)

Here's the email that was of course surrounded by Paypal's own official email chrome:

> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.

I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.

coldfoundry 2 days ago | parent | next [-]

Wow, thats pretty bad. Reminds me of the old Paypal Invoice scams where scammers would upload the paypal logo as the invoice logo (which appears top left) and essentially “bill” the user. The scammer the adds inside the invoice note a paragraph explaining “Your money is being held due to currency exchange issues”, which gives basic reason to the “monetary deduction”. It got me as a kid, was quite slick for the time. Thought these scam-methods would be at least flagged these days before going out.

sschueller 2 days ago | parent | prev | next [-]

This kind of incompetence should result in PayPal loosing its banking permits in the EU. This is unacceptable and there is no way for an average person to identify the fraud and that is PayPal's fault.

There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!

2 days ago | parent [-]
[deleted]
gbalduzzi 2 days ago | parent | prev [-]

Let's say someone falls for this.

What happens next, when they become the business account secondary user?

hombre_fatal 2 days ago | parent | next [-]

I added to my comment, but when you call the number, you talk to the attacker and they ask you questions about you and your account. Maybe they try to buy crypto with it or they prime you to go to some attack website and use your paypal account to buy something.

edm0nd 2 days ago | parent [-]

oh no, not at all.

They will attempt to get you to install AnyDesk or some kind of remote software and then pwn your computer. They will remote in "to fix the hack" because your computer is obviously infected with a virus. Then either just steal your money from your bank account or etc.

2 days ago | parent | prev [-]
[deleted]